Cross-Site Request Forgery (CSRF) in splitbrain/dokuwiki


Reported on

Dec 16th 2021


Auditing the AJAX endpoints revealed that some endpoints which perform state-changes do not have CSRF protection.

Proof of Concept

POST /lib/exe/ajax.php?call=draftdel&id=start 


This vulnerability is capable of tricking users to delete their own drafts.


Draftdel js

Draftdel backend

We are processing your report and will contact the splitbrain/dokuwiki team within 24 hours. a year ago
haxatron modified the report
a year ago
a year ago


Looks like the lock ajax endpoint doesn't seem to do much, let me investigate further

a year ago


I think the lock ajax endpoint does not seem to do much, so it does not seem it warrants CSRF protection

We have contacted a member of the splitbrain/dokuwiki team and are waiting to hear back a year ago
Andreas Gohr validated this vulnerability a year ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Andreas Gohr marked this as fixed with commit 242015 a year ago
Andreas Gohr has been awarded the fix bounty
This vulnerability will not receive a CVE
edit.js#L210L215 has been validated
Ajax.php#L163L173 has been validated
to join this conversation